Exam CISSP: Certified Information Systems Security Professional
Here you can download free practice tests CISSP: Certified Information Systems Security Professional. Free dumps for CISSP exam questions and answers in PDF format also you can read online. 30 – 60 days FREE updates new questions
CISSP PREMIUM PDF Pro file
Use code “VCEup”: $32.5
|
Use code “VCEup”: $45.5
|
Free PDF Format
Title Size Hits Download ISC.Premium.CISSP.162q - DEMO 802.08 KB 147 Download VCEup-ISC.Premium.CISSP.561q 1.06 MB 146 Download (VCEup.com)-ISC.selftestengine.CISSP.v2020-06-16.by.zhanglei... 406.43 KB 2508 Download (VCEup.com)-ISC.Test-king.CISSP.v2019-02-10.by.Alex.724q 3.67 MB 3568 Download (VCEup.com)-ISC.Test4prep.CISSP.v2018-11-11.by.Ben.715q 3.61 MB 1999 Download (VCEup.com)-ISC.Prepaway.CISSP.v2018-09-15.by.Nicholas.700q 3.69 MB 1980 Download (VCEup.com)-ISC.Actualtests.CISSP-2018.v2018-07-24.by.Anna.3... 225.61 KB 2279 Download
| Title | Size | Hits | Download |
|---|---|---|---|
| ISC.Premium.CISSP.162q - DEMO | 802.08 KB | 147 | Download |
| VCEup-ISC.Premium.CISSP.561q | 1.06 MB | 146 | Download |
| (VCEup.com)-ISC.selftestengine.CISSP.v2020-06-16.by.zhanglei... | 406.43 KB | 2508 | Download |
| (VCEup.com)-ISC.Test-king.CISSP.v2019-02-10.by.Alex.724q | 3.67 MB | 3568 | Download |
| (VCEup.com)-ISC.Test4prep.CISSP.v2018-11-11.by.Ben.715q | 3.61 MB | 1999 | Download |
| (VCEup.com)-ISC.Prepaway.CISSP.v2018-09-15.by.Nicholas.700q | 3.69 MB | 1980 | Download |
| (VCEup.com)-ISC.Actualtests.CISSP-2018.v2018-07-24.by.Anna.3... | 225.61 KB | 2279 | Download |
The content of the CISSP has been refreshed to reflect the most pertinent issues that information security professionals currently face, along with the best practices for mitigating those issues. Some topics have been updated while others have been realigned. The result is an exam that most accurately reflects the technical and managerial competence required from an experienced information security professional to effectively design, engineer, implement and manage an organization’s information security program within an ever-changing security landscape.
| Previous CISSP Domain Name | New CISSP Domain Name |
| Domain 1: Security and Risk Management | Domain 1: Security and Risk Management |
| Domain 2: Asset Security | Domain 2: Asset Security |
| Domain 3: Security Engineering | Domain 3: Security Architecture and Engineering |
| Domain 4: Communications and Network Security | Domain 4: Communication and Network Security |
| Domain 5: Identity and Access Management | Domain 5: Identity and Access Management (IAM) |
| Domain 6: Security and Assessment Testing | Domain 6: Security Assessment and Testing |
| Domain 7: Security Operations | Domain 7: Security Operations |
| Domain 8: Software Development Security | Domain 8: Software Development Security |
The domain weights are as follows:
| Major Domains | Weightings (Percentage) |
| Domain 1: Security and Risk Management | 15% |
| Domain 2: Asset Security | 10% |
| Domain 3: Security Architecture and Engineering | 13% |
| Domain 4: Communication and Network Security | 14% |
| Domain 5: Identity and Access Management (IAM) | 13% |
| Domain 6: Security Assessment and Testing | 12% |
| Domain 7: Security Operations | 13% |
| Domain 8: Software Development Security | 10% |
| Total | 100% |
OVERVIEW OF CHANGES (Buyer review)
DOMAIN 1: SECURITY AND RISK MANAGEMENT (15% of the exam content)
As you will see below, there almost no change in content for this domain. There was some reformatting of the names of some of the bullets and that is about it.
Overall, I can honestly say there was at most 1% change within this domain. Nothing significant.
Apply Security governance principles through:
| TOPIC | 2015 CBK® OLD NAME |
2018 CBK® NEW NAME |
| 1.2 | Apply security governance principles through: | Evaluate & Apply security governance principles through: |
| 1.2 | Control frameworks | Security Control frameworks |
| 1.3 | Compliance | Determine Compliance Requirements |
| 1.3 | Legislative and regulatory compliance | Contractual, Legal, Industry standards, and Regulatory Requirements. |
| 1.3 | Privacy requirements compliance | Privacy requirements |
| 1.4 | Computer crimes | Cyber Crimes and Data Breaches |
| 1.4 | Licensing and intellectual property | Licensing and intellectual property requirements |
| 1.4 | Data Breaches | REMOVED AND ADDED TO BULLET ABOVE |
| 1.5 | Understand professional ethics | Understand, adhere to, and promote professional ethics |
| 1.5 | Exercise (ISC)2 Code of Professional Ethics | (ISC)2 Code of Professional Ethics |
| 1.5 | Support organization’s code of ethics | Organizational code of ethics |
| 1.6 | Develop and Implement documented security policy, standards, procedures, and guidelines. | Develop, Document, and Implement security policy, standards, procedures, and guidelines. |
| 1.7 | Understand Business Continuity requirements | Identify, Analyse, and Prioritize Business Continuity requirements |
| 1.7 | Develop and document project scope and plan | Develop and document scope and plan |
| 1.7 | Conduct business impact analysis | Business impact analysis |
| 1.8 | Contribute to personnel security policies | Contribute to and enforce personnel security policies and procedures |
| 1.8 | Employment Candidate Screening | Candidate Screening and Hiring |
| 1.8 | Employment termination processes | Onboarding and termination process |
| 1.8 | Vendor, consultant, and contractor controls | Vendor, consultant, and contractor agreements and controls |
| 1.8 | Compliance | Compliance Policy Requirements |
| 1.8 | Privacy | Privacy Policy Requirments |
| 1.9 | Risk Assessment/acceptance | Risk Response |
| 1.9 | Countermeasure Selection | Countermeasure Selection and Implementation |
| 1.9 | Implementation | REMOVED AND ADDED TO BULLET ABOVE |
| 1.9 | Control Assessment | Security Control Assessment |
| 1.9 | Types of Controls | Applicable types of controls |
| 1.10 | Understand and apply threat modeling | Understand and apply threat modeling concepts and methodology |
| 1.10 | Identifying threats | REMOVED |
| 1.10 | Determining and Diagramming potential attacks | REMOVED |
| 1.10 | Performing reduction analysis | REMOVED |
| 1.10 | Technology and processes to remediate threats | REMOVED |
| 1.10 | Added: Threat Modeling concepts | |
| 1.10 | Added: Threat modeling methodologies | |
| 1.11 | Integrate security risk considerations into acquisition strategy and practice | Apply risk-based management concepts to the supply chain |
| 1.11 | Hardware, Software, and Services | Risks associated with Hardware, Software, and Services |
| 1.12 | Establish and manage information security education, training, and awareness | Establish and maintain a security education, training, and awareness program |
| 1.12 | Appropriate levels of awareness, training, and education required within organization | REMOVED AND REPLACE BY THE TWO BULLETS BELOW |
| 1.12 | Periodic reviews for content relevancy | Periodic content reviews |
| 1.12 | Added: Method and Techniques to present awareness and training | |
| 1.12 | Added: Program effectiveness evaluation | |
DOMAIN 2: ASSET SECURITY (10% of the exam content)
As you will see below, there almost no change in content for this domain. There was some reformatting of the names of some of the bullets and that is about it.
Overall, I can honestly say there was less than 1% change within this domain. Nothing significant.
I was glad to see that Cryptography was removed. However, Data Protection Methods has been added and of course, that will talk about cryptography used to protect your data. So in summary: No change just different names.
| TOPIC | 2015 CBK® OLD NAME |
2018 CBK® NEW NAME |
| 2.1 | Classify Information and Supporting assets | Identify and Classify information and assets |
| 2.2 | Determine and Maintain ownership | Determine and maintain information and assets ownership |
| 2.1 | Added: Data Classification | |
| 2.1 | Added: Asset Classification | |
| 2.5 | Baselines | REMOVED |
| 2.5 | Added: Understand data states | |
| 2.5 | Cryptography | REMOVED |
| 2.5 | Added: Data Protection Methods | |
| 2.6 | Establish handling requirements | Establish Information and Assets handling requirements |
DOMAIN 3 – NEW DOMAIN NAME IS: Security Architecture and Engineering (13% of the exam content)
Hum… This change reminds me of the old Security Architecture and Design domain we had on the 2012 CBK®. As you can see History always repeats itself.
As you will see below, there almost no change in content for this domain. There was some reformatting of the names of some of the bullets and that is about it.
If I am being generous I can say there is about 1% of changes in this domain.
Topics such as the Internet of Things (IOT) and Cloud-Based systems were added to the description. However, those topics were already included in the 2012 CBk and there is no new content just bullets added to Domain 3 list. Some of the other topics were removed from the list but were simply moved and kept on the list by combining them with other topics.
| TOPIC | 2015 CBK® OLD NAME |
2018 CBK® NEW NAME |
| 3.3 | Select controls and countermeasures based upon systems security evaluation models | Select controls based upon systems security requirements |
| 3.4 | Understand security capabilities of information systems (e.g., memory protection, trusted platform module, interfaces, fault tolerance) | Understand security capabilities of information systems (e.g., memory protection, trusted platform module, encryption/decryption) |
| 3.5 | Large-scale parallel data systems | REMOVED |
| 3.5 | Added: Internet of Things (IOT) | |
| 3.5 | Added: Cloud-Based Systems | |
| 3.8 | Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g., network-enabled devices, internet of things (IOT) | Assess and mitigate vulnerabilities in embedded devices |
| 3.9 | Cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance) | Cryptographic life cycle (Key Management, Algorithm selection) |
| 3.9 | Cryptographic Types (e.g., symmetric, asymmetric, elliptic curves) | Cryptographic Methods |
| 3.9 | Integrity (hashing and salting) | Integrity (hashing) |
| 3.9 | Methods of Cryptanalytic attacks (e.g., brute force, ciphertext only, known plaintext) | Understand methods of Cryptanalytic attacks |
| 3.10 | Apply secure principles to site and facility design | REMOVED |
| 3.11 | Design and Implement physical security | Implement site and facility Security Controls |
| 3.11 | Wiring closets | Wiring Closets/Intermediate distribution facility |
| 3.11 | Server rooms | Server rooms/data centers |
| 3.11 | Data Center Security | REMOVED combined with bullet above |
| 3.11 | Utilities and HVAC considerations | Utilities and HVAC |
| 3.11 | Water Issues (e.g., leakage, flooding) | Environmental issues |
DOMAIN 4: Communications and Network Security (14% of the exam content)
As you will see below, there almost no change in content for this domain. There was some reformatting of the names of some of the bullets and that is about it.
A few items were removed. As you can see Cryptography was removed and like I have mentioned previously that makes senses considering it is covered in depth with other domains. It seems ISC2 is bundling all of the Crypto content in one major section.
What amazed me with this domain is how wide it is and how short the description is. The CBK® and the Detailed Content Outline (DCO) does not do justice to this domain.
Overall there was less than 1% of changes within this domain. Nothing significant.
| TOPIC | 2015 CBK® OLD NAME |
2018 CBK® NEW NAME |
| 4 .1 | Apply secure design principle to network architecture | Apply secure design principle in network architecture |
| 4.1 | Cryptography used to maintain communication security | REMOVED |
| 4.2 | Network Access Control devices | Network Access Control (NAC) devices |
| 4.2 | Physical Devices | REMOVED |
| 4.3 | Design and establish secure communication channels | Implement secure communication channels according to design |
| 4.4 | Prevent and Mitigate network attacks | REMOVED |
DOMAIN 5: Identity and Access Management (IAM) (13% of the exam content)
The acronym (IAM) was added to the end of the domain name.
As you will see below, there almost no change in content for this domain. There was some reformatting of the names of some of the bullets and that is about it.
Six items were added to further clarify the existing content. Attribute-Based Access Control is a new topic that was added.
This is another domain with less than 1% of changes within the domain content. Nothing significant.
What is Attribute Based Access Controls?
Attribute-based access control (ABAC) defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.). This model supports Boolean logic, in which rules contain “IF, THEN” statements about who is making the request, the resource, and the action. For example: IF the requestor is a manager, THEN allow read/write access to sensitive data.
| TOPIC | 2015 CBK® OLD NAME |
2018 CBK® NEW NAME |
| 5.2 | Manage Identification and authentication of people and devices | Manage Identification and authentication of people, devices, and Services |
| 5.2 | Federated Identity Management | Federated Identity Management (FIM) |
| 5.3 | Integrate Identity as a service (e.g., cloud identity) | Integrate Identity as a third-party service |
| 5.3 | Added: On-premise | |
| Added: Cloud | ||
| Added: Federated | ||
| 5.4 | Integrate third-party identity services (e.g., on premised) | REMOVED replaced by bullet above |
| 5.5 | Added: Attribute Based Access Controls | |
| 5.6 | Prevent and Mitigate access control attacks | REMOVED |
| 5.7 | Added: User Access Review | |
| 5.7 | Added: System Account Access Review | |
| 5.7 | Added: Provisioning and Deprovisioning |
DOMAIN 6: Security Assessment and Testing (12% of the exam content)
As you will see below, there almost no change in content for this domain. There was some reformatting of the names of some of the bullets and a few items were added to further clarify what is the content.
Overall, there was 0% of new content added to this domain.
| TOPIC | 2015 CBK® OLD NAME |
2018 CBK® NEW NAME |
| 6.1 | Design and Validate assessment and test strategies | Design and Validate Assessment, test, and audit strategies. |
| 6.1 | Added: internal | |
| 6.1 | Added: external | |
| 6.3 | Collect security process data (e.g., management and operational controls) | Collect security process data (e.g., Technical and Administrative) |
| 6.3 | Management review | Management review and approval |
| 6.3 | Disaster Recovery and Business Continuity | Disaster Recovery (DR) and Business Continuity (BC) |
| 6.4 | Analyze and report test outputs (e.g., automated, manual) | Analyze and report test outputs and generate reports |
| 6.5 | Conduct or facilitate internal and third-party audits | Conduct or facilitate security audits |
| 6.5 | Added: Internal | |
| 6.5 | Added: External | |
| 6.5 | Added: Third-Party |
DOMAIN 7: Security Operations (13% of the exam content)
As you will see below, there almost no change in content for this domain. There was some reformatting of the names of some of the bullets.
As you will see a single entry was divided into multiple entries for more clarity.
Subjects such as Industry Standards, Asset management, and Duress were added.
Overall, I can honestly say there is less than 1% of changes within this domain. Nothing significant.
| TOPIC | 2015 CBK® OLD NAME |
2018 CBK® NEW NAME |
| 7.1 | Digital Forensics (e.g., media, network, software and embedded devices) | Digital Forensics tools, tactics, procedures |
| 7.2 | Operational | Administrative |
| 7.2 | Electronic Discovery (eDiscovery) | REMOVED |
| 7.2 | Added: Industry Standards | |
| 7.3 | Security information and event managment | Security information and event management (SIEM) |
| 7.4 | Secure provisioning of resources | Securely provisioning resources |
| 7.4 | Added: Asset Management | |
| 7.4 | Physical Assets | REMOVED |
| 7.4 | Virtual Assets (e.g., Software-defined network, virtual SAN, guest operating systems) | REMOVED |
| 7.4 | Cloud Assets (e.g., services, VMs, storage, networks) | REMOVED |
| 7.4 | Applications (e.g., workloads or private clouds, web services, software as a service. | REMOVED |
| 7.5 | Monitor Special Privilege (e.g., operations, administrator) | Privilege Account Management |
| 7.5 | Service-level agreements | Service-level agreements (SLA) |
| 7.6 | Employ resource protection techniques | Apply resource protection technique |
| 7.10 | Participate and Understand change management processes (e.g., versioning, baselining, security impact analysis) | Understand and participate in change management processes |
| 7.13 | Read-through | Read-through / TableTop |
| 7.14 | Participate in business continuity planning and exercises | Participate in business continuity (BC) planning and exercises |
| 7.15 | Perimeter (e.g., access control and monitoring) | Perimeter Security Controls |
| 7.15 | Internal Security | Internal Security Controls |
| 7.16 | Participate in addressing personnel safety concerns (e.g., duress, travel, monitoring) | Address personal safety and security controls |
| 7.16 | Added: Travel | |
| 7.16 | Added: Security Training and Awareness | |
| 7.16 | Added: Emergency Management | |
| 7.16 | Added: Duress |
DOMAIN 8: Software Development Security (10% of the exam content)
As you will see below, there is almost no change in content for this domain. There was some reformatting of the names of some of the bullets and that is about it.
Overall, I can honestly say there was less than 1% of changes within this domain. Nothing significant.
| TOPIC | 2015 CBK® OLD NAME |
2018 CBK® NEW NAME |
| 8.1 | Understand and apply security in the software development lifecycle | Understand and integrate security in the software development lifecycle (SDLC) |
| 8.2 | Enforce security controls in development environments | Identity and Apply security controls in development environments |
| 8.2 | Security weaknesses and vulnerabilities at the source code level (e.g., buffer overflow, escalation of privileges, input/output validation) | REMOVED but added further down as new topics and section. See 8.5 below. |
| 8.2 | Security of application programming interfaces | REMOVED but added further down as a new topic. See 8.5 below. |
| 8.3 | Acceptance testing | REMOVED |
| 8.5 | Added: Define and Apply Secure Coding Guidelines and Standards. | |
| 8.5 | Added: Security weaknesses and Vulnerabilities at the source code level | |
| 8.5 | Added: Security of Application Programming Interfaces (API) | |
| 8.5 | Added: Secure Coding Practices |
